#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
#read-protected-path, and always-reduce-path
#
#inherit-learn, no-learn, and inherit-no-learn operate only with
#full learning
#
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
#and high-protected-path operate on both full and and regular learning 
#(subject and role learning)
#
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname.  This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction.  If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#manually.
#
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
#these processes.
#
#high-reduce-path modifies the heuristics of the learning process
#to weight in favor of reducing accesses for this path
#
#dont-reduce-path modifies the heuristics of the learning process
#so that it will never reduce accesses for this path
#
#always-reduce-path modifies the heuristics of the learning process
#so that the path specified will always have all files and directories
#within it reduced to the path specified.
#
#protected-path specifies a path on your system that is considered an
#important resource.  Any process that modifies one of these paths
#is given its own subject in the learning process, facilitating
#a secure policy.
#
#read-protected-path specifies a path on your system that contains 
#sensitive information.  Any process that reads one of these paths is
#given its own subject in the learning process, facilitating a secure
#policy.
#
#high-protected-path specifies a path that should be hidden from
#all processes but those that access it directly.  It is recommended
#to use highly sensitive files for this command.
#
#regular expressions are not supported for pathnames in this config file
#
#
# uncomment this next line if you don't wish to generate a policy that 
# restricts roles to specific IP ranges:
# dont-learn-allowed-ips
#
# to write out your generated policy such that roles are split into separate
# files by the name of the role (within user/group directories), uncomment
# the next line:
# split-roles

always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /var/run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /usr/portage
always-reduce-path /tmp
always-reduce-path /var/tmp

high-reduce-path /dev/.udev
high-reduce-path /dev/mapper
high-reduce-path /dev/snd
high-reduce-path /proc
high-reduce-path /lib
high-reduce-path /lib32
high-reduce-path /libx32
high-reduce-path /lib64
high-reduce-path /lib/tls
high-reduce-path /lib32/tls
high-reduce-path /libx32/tls
high-reduce-path /lib64/tls
high-reduce-path /lib/security
high-reduce-path /lib/modules
high-reduce-path /lib32/modules
high-reduce-path /lib64/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib32
high-reduce-path /usr/libx32
high-reduce-path /usr/lib64
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib32/tls
high-reduce-path /usr/libx32/tls
high-reduce-path /usr/lib64/tls
high-reduce-path /usr/lib64/openoffice
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /sbin
high-reduce-path /bin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib
high-reduce-path /var/lib/openldap-data
high-reduce-path /var/lib/krb5kdc

dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt

protected-path /etc
protected-path /lib
protected-path /boot
protected-path /run
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root
protected-path /sys

read-protected-path /etc/ssh
read-protected-path /proc/kallsyms
read-protected-path /proc/kcore
read-protected-path /proc/slabinfo
read-protected-path /proc/modules
read-protected-path /lib/modules
read-protected-path /lib64/modules
read-protected-path /boot
read-protected-path /etc/shadow
read-protected-path /etc/shadow-
read-protected-path /etc/gshadow
read-protected-path /etc/gshadow-
read-protected-path /sys

high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /proc/slabinfo
high-protected-path /proc/modules
high-protected-path /proc/kallsyms
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /var/backups
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp
high-protected-path /etc/samba/smbpasswd

# to protect kernel images
high-protected-path /boot
high-protected-path /lib/modules
high-protected-path /lib64/modules
high-protected-path /usr/src

inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly

# the below lines are for catching the occasional use of init.d scripts at runtime
# comment them out if you are starting learning before services are started by init
# (a highly non-recommended choice)
inherit-learn /etc/init.d
inherit-learn /etc/rc.d/init.d

